 okay so yeah I found out all three in one picture from the Google so this is Tesla one of my dreams one day yeah so this is about not about them so you may wonder what is Tesla doing inside security topic in WordPress so let me go around so my topic is actually hardly WordPress and a drive maker two different topics I will be able to combine them when it I'm going to end so who am I I'm Chattu Ishwajit from Sri Lanka and I'm also a OZIRA ambassador a company specialized in identity as service and giving you some password list login and two-step working and working very much and contributing to open source ecosystem and I run on my own startup that's it about me so some other class in my garage yeah in rams in rams in my garage so what are things we need to think consider when you drive going to drive a maker an input from you yeah you need to be here and breaks most probably breaks so the first thing is actually it's the car is in good condition it's drivable or we did get the parts when I going around and the other thing is if you have a good car you need to take care of the maintenance yeah you need to think about your car what do you like the clean one it's BMW another one I don't know what is it do like which one so I think you prefer the more cleaner one sure but if you're geek you would like the other way you're hot wire something and me include things but for perspective of WordPress and normal general people I feel I think the cleaner one is a must basic so if it is maintained well if it will keep it like that or if you are not maintaining well you're going to be like that if you put many plugins and only things or when it's extra stuff it's very going like that so that's no other thing is you have a good car but do you have good road conditions you have a good vehicle yeah but you like bump it out or like a good right yeah when it comes to my car my country so the second one is much better so imagine so the other conditions also matters you need to have good road conditions other than is even though you are good driver the others are good drivers so you need to have good ecosystem also are they are good drivers even though you drive well somebody will knock you off maybe drunk or maybe to call us or maybe in a mobile phone still you get accidents even though you are good driver or maybe like this yeah it's common in Sri Lanka and more common in India also so yeah this is going to be like even though you have good drivers even you are good drivers we will be end up like this and the other thing is are you safe driver are you curious or are you thinking about you die itself and I think you are like this yeah that's not good that's not going to be a good ride maybe the other good drivers feel getting even though you are good drivers and you have all the good drivers in the world maybe still have a bad luck you will get end up like this even though you have a good car like BMW but you will like end up like this even a branded bull so you can think what the point is actually you need to maintain everything but still you will get into troubles from the back so it's okay enough reason okay it's all enough now it's going back to the topic so what's going on with WordPress so it's WordPress is secure how many of you think that WordPress is secure already yeah that's good you have a kind of a good faith and good trustworthiness on the WordPress yeah it's cool so anyway WordPress is secure okay but there can be some special special things happening otherwise I'm going to talk about this topic anymore if it is secure so that's going on so the trade is actually coming from 50% what I mean is actually from the WordPress plugin itself and 30% actually from WordPress core itself it went percent from teams that's the thing so we are the developers kind of things but we like to have bugs in the core you know we cannot have hundred percent secure or hundred percent bug less software it's a kind of myth so yeah it's going to be a bug we will do continuous improvements and those things so you don't need to worry about so the reason is there's actually there was a kind of a remote code execution bug in duplicator it's a famous plugin which is used to go black out back in things up and maybe you clone in the WordPress if you are using this one better to update it because they have an issue yep and ninja forms are you a very famous one it also recently had an issue with cross-site scripting and CSV injection and they also patched it so if you are in a good if you are in a good hands if you are better than me and also WordPress recent security update recently because of them a bug in the core itself so if you are running this one better to update it and it already updated for you because it's when giving you a security updates normally so there's a project called open web application security project so they actually listed top 10 security vulnerabilities in WordPress the first one is injection it's like SQL injection so it's like giving you giving running some SQL related commands and getting data from your website and maybe getting that at your username and passwords and the broken authentication so also kind of the bug in there so this is the top 10 actually I'm going to fast on these ones and really give you some explanation and the sensitive data exposure is actually giving the usernames and other emails and stuff without even looking it there are some other resources third-party and using the external excellent entities you get get some other security issues because of these things and it's going to be 650 mix combination so security mix coverage is that you actually set up the plugins and all stuff wronged it's moving forward and the cross-site scripting is a normal bug you're getting from many plugins and with teams itself because you can run arbitrary JavaScript commands inside the website and get some information especially stored in the cookies also and you deseries with the insecure way that you can access the encrypted data and you're using components with all well-known vulnerabilities like some plugins or plugins using some other open source projects with vulnerabilities most of them actually related to XML processing and you don't have much information on the logging and monitoring like which actions actually occurred and who the one is responsible on these actions so these are the top 10 one actually listed in there so if you are know about this thing or if you are okay with this thing that means you're totally okay for now there may be a new updates coming out so how to drive safely with the car the first one is actually continuous improvements what is continuous improvement the thing is you need to improve your word pesco and you need to improve about your teams plugins but not enough you need to improve about yourself on the knowledge about security that's why you are here I think yeah so first thing is find secure hosting there that means get a good car not get an old car with some special bars and all stuff instead of this get a good car like Tesla yeah even is still it had someone where it is but they are good in updating so find a secure hosting the next thing is even you have a good car don't forget to make it you need to update the core teams and all stuff don't forget it update you just create an application for customer and update it upload it and just go away don't do that keep him updated and keep this website updated so first thing is get the world press up to date keep your plugins and teams update and change the password it's like your brush don't use much often just change you get anyone don't use same the brush to brush your teeth and keep yourself updated just know about what the vulnerability is coming on what are the plugins when it is why they are releasing updates what are they in there so keep yourself updated there are some security related blogs and if you can you can follow I believe there are some links in the end of this session you can keep updated with what are the vulnerabilities coming up and next thing is use your own not default don't use whatever things that gave them give them you use your own ones like the first one don't use admin as you're using it everybody knows it's at me so get some random one for you and you have a WP config which is the one one of the most important things in the world press economy so they have separate keys that in that WP config this is used to encrypt the session and everything in the database related to encryption so it has solves nonce and all the security keys which you need to have your own randomly generated piece and well this has an url and api to get this random generated values you can put it in there and don't use WP underscore prefix everybody knows that normally you use as a default so use your own one prefix don't use WP underscore this thing is prevent user inumerations like you go there and looking and you put just some random username and checking there or you go to the authors page and get the list of users so try to prevent user inumeration have kind of a capture challenge or you can use kind of a rewrite rule to stop the query screen and next thing is don't forget about the old ones if you don't use any use account then any inactive users don't keep them in the system because you also forget and what you may also forget the passwords so and you don't know that it is xt anymore so keep don't keep them in system that delete that users and allocate they are forced into some other account or the admin account and this thing is the one actually I had a nightmare so the same as the XMRPC if you're not using most of the you won't be using this one so what happened was in my experience so we had a share hosting with about 10 sites of the clients one client in the same system and all actually hadn't disabled the XMRPC and it's funny so we got a DDoS attack on one site which make the server got overwhelmed and a server administrator actually shut down all account so all the 10 sites actually running on there was down for about three hours and most of the times actually had them really good reputation and it was yeah it was a nightmare for me so it is get is from the experience you can actually use a TXS to disable XMRPC or they are plugins available to just disable this one so the this is the most common places that get DDoS attacks so people actually try to do the XMRPC course from a box and it will be making your resource overwhelmed and you're getting the processor usage very up and your administrator will be shut down if you're using a shared one that's why it told me in the earliest flight get a good hosting if you have a good hosting with good resources then you do not need to worry but if you have a shared one you need to be worried about these things the thing is disable the file reading in the world is dashboard why is that important let's see if you if the somebody actually get an access to use account in some way they first try to change the plugins and all stuff using the world with dashboard so it's better to turn this off so you will be get a less amount of hacking if they could use a account code hack and otherwise the result will be very different because they can change the plugins and make change on the front end and we'll be kind of a nightmare to get fixed it again also because you don't know what the files changes on there then you need to go and do a default chain remove all things the next thing is limit the login fail attempts then you are really good with the brute force attacks because if you limit it like for failure attempts just block the IP then the root process attacks will be going to be going down otherwise they will try to use multiple user names or multiple files and try to login time-trying so this is normally there because there are many bots trying to check your logins just try to do the root project attacks and there are some tools here you can check it how is the attacks going on and know how to disable these things and best thing is this one this is more important backup pretty early so if there's some bad thing happened you haven't copied restore and go start again if you don't have a backup and you are in a catastrophe phase catastrophe so you don't think about it it's very hard it's what's happened when I was actually starting now so this is the one of first lessons I learned so yeah normally I set up and backup solution from the server plus not using the word press actually because it makes the resource going up so I actually set up and backup service from the server itself so it back up all the thing with the database and the files and use two factor authentication then you know somebody is going to log into your system and it is more secure if you are actually doing kind of a media related thing so where your image really matters most so better to use a two factor authentication and you know that only as authenticated persons is going to do the kind of a changes in the post or the new articles the other thing is use plugins from trust sources like WordPress plugin directory or somewhere else but if there's some site saying that they have premium plugins for free don't get into that trap they are not giving you a free they will have some back though inside it so better to get it from the trusted sources because it's only one file and it is very open source you can actually put it into a plugin directory and it can open a completely command line enable PHP back though so only one file you can actually it's open source you can actually use it and put it into a plugin and give it to somebody else who doesn't know it and remove unused plugins and teams since they are unused you are not going to update it or you don't know that it exists anymore but it's still there in your file system so it's still the vulnerabilities in that unused plugins also matter matters to your site so and it is good for your performance of the website also if you remove the old unused plugins and better to have very limited number of plugins also rather than it has all much of features in the plugin WordPress plugin directory you don't need to install everything in your website so it's better to have a limited number of what they are essential for your site and turn on comment approval so then you don't get very how to do your CEO we are doing some research and in experts or you don't get any drug related advertisements so if you are turn off this comment turn on the comment approval then you can see it and just delete it or use and kind of a spam related plugin to just delete this spam comments which are opening your approval box there was a site actually for a client which actually had about 20,000 spam comments waiting in the approval box but after we actually use and plug in on spamming things it is going to be automatically remove these plugins and take the same text that comment has the spamming things so they are going to block it anyway without even coming to the comments the other thing is in recently there's much big hype on this one so better to use HTTPS because now it's very affordable not like at earlier time getting an SSL it's pretty hard and it's very expensive but even now there's services like let you can get a free SSL certificate so why not use it even at least for WP admin where you have the password but if you have running an e-commerce solution you normally won't have it this SSL thing actually make you secure and apart from that if you are going to buy and domain like .app it's mandatory to have a TTPS in the domain itself and if you are going to upload yourself like plugins or change or you have your own plugins use sftv not unencrypted FTP tunnel use an encrypted FTP tunnel I think most of the new hosting provided does support it so use kind of encrypted way to upload your files also the new thing is that you can have an audit look which makes you easy to monitor which user did what change will have that is going this user actually installed this plugin and it actually activated or deactivated or this user went this way and activate this feature in this plugin so then you know which one is actually responsible for the changes in if you have multiple persons actually working on the these projects then you know what's happened even the client for the summer kind of change you can actually make him responsible for that change and this is especially for developers in your production application turn off the development if you have all the errors it will be show off your what is server version and what you're the PHP version no stuff so you may be actually forget to turn off but take off in the production apps and not only these things like road conditions apart from your WordPress this matters like Apache PHP and Nginx even the system had vulnerabilities and even will have vulnerabilities so you need to know about these things if you don't have a managed hosting card you have your own hosting card you need to take off what is on PHP errors what are the errors in Nginx otherwise if you have a good hosting provider they will take care of this one so you only need to worry about if you are running your own hosting solution and get some DDoS protection there are some free solution and there are some paid pollution we can use as a load to make it protected from the DDoS attacks so since I said many vulnerabilities are exist how you going to know about them so there's a community project which calls WP vulnerability database they have all the vulnerabilities listed down with specific codes so you can actually know about what's wrong in there and all the reported vulnerabilities in there and they also have if there's a fix or not apart from that if you are very geeky you can run it you own so this is an open source project where you can actually use to attack your own website not attack actually it will be running on your website and get the enumerated what is the things are running on this is the reason screenshot from the WorldCamp Uthred so I run it on WorldCamp Uthred in today morning and don't forget about your time stamps it's still morning so it gives the world-class version is running world-class 4.9.9 and alpha code so this is actually from WorldCamp and this is actually version itself from the world press so they have the recent version in there and there's no way to find in that version and this about there's about robot TXT there's one existing and they said that the readme file also present from my point of view better to remove the readme file also from your site because it gives out your world press version and you can show that it's flying 2017 team so it going on there and give you what the teams are running and there's no one of it is in the theme and it's going to have you can see they have gotten the plug in and they have a taggator WC4 style complex and jetplug also there and they using WP supercash so all the plugins actually doesn't have any vulnerabilities version they are running so this tool is actually free and it's open source you can just get it from the JIT Hub and if you have a PHP runtime this can run it in your command line and with your websites and then you can actually get the inside what is wrong with your website and you can update if they needed this is what it is can it's open source and you can actually contribute if you want and it's actually pulling the vulnerabilities from the previous one so even if they identified version they will pull the what the vulnerability is available in this database so it going to be compared with the website that you given to you and it has different different parameters you can pass the basic scan default scan and they are full deep scan also this take time and going to summary so if I summarize the whole thing you need to don't forget to update and use your own don't use the default disabled xml pc if you are not going to use it limit the login attempts and pack up regularly that's the most thing that I can tell you and the remove the unused plugins themes don't keep it use the secure connection use it the TPS or SSF TV SFTV and keep your updated about what are vulnerabilities and what the world things are going on and if you summarize this one one school continuous improvements so you need to improve about yourself what's going on with the world and what are in with the security and that's all folks thank you very much for having me again in this work I am welcome with thread this I'm coming from Sri Lanka all the way to here and thank you very much for welcoming me here and if you have some questions I think I have some time the first thing that I told me about they use the less number of plugins so if you want to have kind of things don't use multiple things because it is going to reduce your performance they are going to use the scanning all the stuff so it will be running always so it will be harmful for your performance yeah I'm not going to recommend anything anyway but you can use a kind of about one one plugin to check your file system to have vulnerabilities or not so then alert you on this one and you can kind of use a firewall to block all the like what they are database with the bot IPs which are going to normally put brute force attacks on your login page so you can actually block them using separate plugins not there are some good plugins which have this all thing in as one package so you can actually enable that one then it will be going to limit your logins and they're going to look the audit things what is going on with the site and they will give you the updates thing what need to be updated like this plugin needed updated now say we'll send an alert for you so they are like but my recommendation is just install all of them in a demo server and get some insight on them and choose one that support you best use case don't use multiple yeah yeah but as a word best word camp speaker I cannot recommend any plugins in here but maybe after the session you can speak because it's not good as a speaker to recommend anything it will be biased we will sign any high-steam time we do have some time are there any other questions or don't be shy yeah I'm going back on Monday so better to ask questions yes yeah if you know what you're doing is totally fine but it is actually a sweet is actually kind of a XML format so you can actually inject something into that file also and you can actually inject some files that makes break even your plugins also like if you're running and plug-in that makes you compress the images sometimes you will try to run it on the xvg and if it has some malformed text actually mean there to break the plug-in also yeah but if I as I said that XML files in the inside the SVG format so if it actually uploaded but a vulnerable fight it will be seen but as we just did good for the performance because it's support multiple resolution else because it's a vector format so it's good for the performance because it will be very small size no more questions you sure you all just tired digesting yeah if there are no more questions you have about a little more than half an hour I believe until closing remarks so